Chief audit executives do a lot of things really well, adding value to the companies they serve. What is especially interesting is how well many, especially CAEs of larger companies, gain information and insight through networking. Many are involved with their peers in industry or geographically based discussion groups, sharing through blogs, conferences, and internet-based information exchanges. And of course there’s still the opportunity to communicate via email or text or pick up the phone to talk with a valued colleague.

I’m a member of one internet-based group – though I tend to read rather than write – and am struck by several themes that are the subject of intense discussion and debate. Among them is the extent to which internal audit can and should become more actively involved in their company’s “governance” activities, however the term is defined. There’s an emerging consensus that yes, they should, and with their insights and skill sets they can add significant value, with an eye toward moving up the organization scale from process to senior management’s and the board’s activities. Another topic is transition from providing risk and assurance to performing more consultative services. The debate is heated, recognizing that IIA Standards speak to and enable both, with strong views expressed regarding the opportunities to add value while keeping in mind the need to maintain independence and objectivity. A related subject under discussion involves opportunities for internal audit personnel to move within their companies to other staff or operating units, into any number of management positions. There’s recognition of the benefits to the internal audit function’s recruiting and development and ability to add value, though caveats are expressed and concerns exist regarding retaining objectivity.

Relevant is the IIA Research Foundation’s 2010 Common Body of Knowledge Global Internal Audit Survey, called the “most comprehensive global study conducted on the practice of internal auditing.” Of particular interest is where practitioners focus attention now versus where they see internal audit five years from now. The study shows that while current attention is centered on operation and compliance audits, auditing financial risks, fraud investigations and internal control evaluations, the focus will shift. Going forward internal audit is expected to be looking more closely at corporate governance, enterprise risk management, linkage of strategy and corporate performance, ethics, migration to IFRS, social and sustainability issues, and disaster recovery testing and support. Other topics are mentioned, so readers might want to take a look at the report.

I marvel at the internal auditor networks, where practitioners are benefiting from the exchange of information and thought. If you’re not already involved in one, you might consider looking into how you can do so.

As you may know, the Dodd-Frank Act gave institutional investors and shareholder activists perhaps the item highest on their wish list – gaining ready access to the proxy statement with ability to name its own director nominees. And the SEC developed enabling rules to make it happen. Well, the U.S. Court of Appeals for the D.C. circuit just pulled the rule out from under shareholders. If you’re a shareholder activist, you’re probably outraged, but if you’re a board member or member of the senior management team, you’re likely breathing a sigh of relief!

The suit was brought by the Business Roundtable and U.S. Chamber of Commerce, and many thought it didn’t have much chance of succeeding. But succeed it did. The court ruled the S.E.C. “acted arbitrarily and capriciously” in failing to adequately consider the rule’s effect on “efficiency, competition and capital formation.” In its unanimous decision, the court added that the SEC “inconsistently and opportunistically framed the costs and benefits of the rule; failed adequately to quantify the certain costs or to explain why those costs could not be quantified; neglected to support its predictive judgments; contradicted itself; and failed to respond to substantial problems raised by commenters.”

And this isn’t the first time the Court shot down SEC rules – it’s happened several times in the last few years, also on the basis that the SEC didn’t properly assess the economic effects. So, where does the Commission go from here? Since this decision was issued by a panel of the Court, the SEC could ask the entire Court to review the case, or appeal to the U.S. Supreme Court. Or, it might want to conduct a more in-depth economic assessment of the rule to satisfy the Court, or come up with another rule. As the U.S. Chamber calls its victory “a big win for America’s job creators and investors,” the SEC is “reviewing the decision and considering our options.”

For what it’s worth, my view is that direct shareholder nominating of directors can be counterproductive. While seemingly supported by the concept of a democratic process, putting dissident or one-issue directors on the board, which might have occurred, would normally not serve a board, the company or its shareholders well. While the SEC’s rule seemed reasonable in terms of effecting the law’s mandate, perhaps the SEC can come up with something better.

It’s well known that a company’s tone at the top is critically important in determining its culture, including whether or not it will act with integrity and ethical values – fundamental elements of effective internal control and risk management. And we know it’s not only the words spoken at the top, but also the CEO’s actions that drive culture. What brings this to mind is the recent conviction of the CEO of fraud detection firm Fraud Discovery Institute. While a conviction of the head of this type of firm might appear unusual though not particularly noteworthy, what’s truly compelling about this news is that the CEO is none other than Barry Minkow.

If you were following internal control, risk management and fraud back in the late 1980’s, you’ll likely remember the well-publicized fraud carried out by Minkow when he led ZZZZ Best Co. Reportedly he started the business at age 16, and took it public with the value exceeding over $200 million. But it turns out he cooked the books and falsified documents to support the fraudulent financial statements. Having been found out, he was convicted and sentenced to a 25-year prison term, ultimately serving a bit more than seven. After leaving prison, he started Fraud Discovery Institute in San Diego to uncover corporate fraud for clients, and took on a role as pastor of a community church. Why would anyone hire his newly formed firm? Well, certainly Minkow could be termed an expert in how to commit fraud, and thus how to prevent it, and having paid his dues to society it’s understandable that he was given the benefit of the doubt in redemption and starting a new and productive life.

It would be nice if this story had a happy ending, but it turns out that in his new firm Minkow reverted to his old ways. Prosecutors claimed that Minkow made false and misleading statements about Miami homebuilder Lennar Corp.’s financial condition to drive down the company’s share price [and] abused his relationship with federal law enforcement agents to get non-public information about Lennar and traded on that information.” And the 45-year old Minkow was sentenced in federal court to a five year prison term.

One could say that “once a crook, always a crook,” but that would be unfair. People do bad things and then turn to the straight and narrow, and have done good deeds in their lives. Nonetheless, when it comes to leading a business, it’s not three strikes and you’re out, but two, or more likely one. The tone at the top and actions of a CEO are too important to trust to anyone with anything other than a background not only of skill and performance, but also acting with integrity and ethical values.

The sea of blue suits at the OpRisk North America conference being held in New York City this week provides a stark contrast to the cold rain falling in Times Square. The conference kicked off with a keynote address from Mitsutoshi Adachi, director and deputy division chief at the Bank of Japan. Mr. Adachi, who also serves as chair of the SIG Operational Risk Subgroup for the Basel Committee, noted that his travel plans had to be moved up a few days in order to account for the continued travel delays out of Japan.

His keynote highlighted a recent report published by the Basel Committee on Banking Supervision titled “Operational Risk – Supervisory Guidelines for the Advanced Measurement Approaches” which found that “Operational risk capital for non-AMA banks is higher than for AMA banks, regardless of the exposure indicator used for scaling.” Mr. Adachi also noted in his address that AMA firms showed “only modest increases in losses during the financial crisis period.” Certainly not an unexpected result but what was telling was his finding that for the period of 2008 to 2009 (during the financial crisis), operational risk losses for all banks were “2 to 3 times fold” compared with the previous Basel Committee internal loss data collection period of 2005 – 2007. Mr. Adachi declined to field a question on which business lines contributed the most to the losses, per his obligation to keep such information confidential.

He concluded by saying that “the Basel Committee finds it even more important to engage with the industry” moving forward. Looking forward to the Plenary address “Reforming U.S. financial markets: reflections before and beyond Dodd-Frank.”

Unless you’ve escaped to a remote island with no communication capability, you know about the serious issues facing banks and mortgage generators and service companies surrounding the foreclosure fiasco. For background, you might want to refer back to my October 15 blog which outlines some of the problems stemming from shortcomings in risk management and related internal control.

Well, the lawsuits have begun, with tens of billions of dollars at stake. State courts already have issued rulings, with the Supreme Judicial Court of Massachusetts, the State’s highest court, deciding that two major banks didn’t have the appropriate documentation when they foreclosed, and returned the properties to the borrowers. New York State’s chief judge, noting “it’s such an uneven playing field [where] banks wind up with the property and the homeowner winds up over the cliff [not serving] anyone’s interest, including the banks,” set forth procedures to ensure all homeowners facing foreclosure have legal representation. The impact in human terms is illustrated by recent reports of how two large banks took action against active servicemen and overcharged 4000 service personnel, reportedly failing to follow the Servicemembers’ Civil Relief Act that allows mortgage rate reductions and outlaws foreclosures. More lawsuits are on the way, led by a former prosecutor driving a class action.

Not only might other states become more proactive, but no less than three federal government agencies have begun investigations – the Department of Justice’s Executive Office for U.S. Trustees, the Federal Housing Administration, and the Federal Reserve. And none of this has been lost on a coalition of all 50 state attorneys general, which recently presented the five largest banks with a set of game-changing demands. Reports say these include prohibition against beginning foreclosure proceedings while a borrower is actively seeking loan modification, a requirement that a borrower making three payments under a temporary loan modification agreement be granted a permanent modification, modification turn-down subject to automatic review by an ombudsman or independent review panel, compensation programs that reward employees for pursuing loan modification rather than foreclosure, curtailing of late fees, and where banks engage in misconduct borrowers would be compensated by a pre-established fund and mortgage balances would be subject to reduction. While some analysts say these changes would drag out the foreclosure process and delay stabilization of the housing market, this attorneys general plan is reportedly supported by the newly formed Consumer Financial Protection Bureau, along with the Departments of Treasury, Justice, and Housing and Urban Development, and the Federal Trade Commission.

We continue to wonder how major banks dealt with the basics of risk identification and analysis – the risk that reliable documents would be needed in the foreclosure process – and establishing control activities to ensure document processing was accurate and complete, with files intact and readily accessible when needed, and accountability in carrying out control procedures. And we can wonder about due diligence in selecting and using outsourcing firms.

Does risk management and related internal control matter? Unfortunately, learning too late may cost financial institutions billions of dollars.

It should be news to no one that global companies today are struggling with increased regulatory onslaught. And as we’ve seen with Dodd-Frank, it’s clear that we can expect continued landmark legislation globally to address the risk management failures of the financial crisis. Chris McClean of Forrester Research recently commented that there are nearly 200 regulatory changes still on the US federal agenda across finance, healthcare and consumer protection. Beyond congressional action, we’ve also seen current regulators cracking down under their existing mandates. The question that many OpenPages customers are addressing today is, how can organizations prioritize and cope with such a large number of regulatory changes, and how can organizations prepare for upcoming rulemaking? Many companies are turning to policy management software to establish regulatory change management, regulator interaction management and policy lifecycle management.

Policies establish the culture, values, ethics, and duties of the corporation. Organizations that take an ad hoc approach to managing and communicating policies face significant risk to their business. The key to effective compliance and policy management is having a formalized and efficient mechanism for communicating changes to regulations and managing the internal regulatory change process so the business can react quickly – particularly in these times where you know the regulatory environment is complex and changing frequently. It is also important to manage the interactions, communication and internal work associated with external regulators such as inquiries, submissions, filings, exams and Audits. Today, this tends to be a very time-consuming, manual process for most companies.

To learn more about implementing an effective compliance and policy lifecycle management program, check out a recent webinar we conducted with Michael Rasmussen, president of Corporate Integrity LLC.

Several months ago I had the pleasure of presenting with Richard Brilliant, Carnival’s vice president and chief audit executive of Audit Services in a Compliance Week webinar titled: “Leveraging the Power of Integrated Risk Management”. Richard began his presentation by asking a very telling question: “Who specifically is best suited to manage risk in your organization?” The answer of course was “Everyone”. After all, enterprise risk management is about managing risks across multiple risk and compliance disciplines as well as across multiple business units. In other words, ERM requires everyone’s participation to be truly effective and risk awareness and expertise must be instilled at all levels of the organization.

Coming in at #4 on the 2010 GCR Wish List, Risk Expertise is something that needs to start at the top. Risk expertise is a skill set that boards are looking for in their executive teams and is something that could potentially find its way into regulatory reform this year.

Sponsored by the UK government and published this past fall, the Walker Review recommends overhauling the boards of banks and other big financial institutions by requiring the Chief Risk Officer to have a reporting line to the risk committee, in addition to strengthening the role of non-executives and giving them new responsibilities to monitor risk and remuneration.

Some of the specific recommendations in the Walker Review include:

Banks should have board level risk committees chaired by non-executive

Risk committees to scrutinise and if necessary block big transactions

Chief Risk Officer to have reporting line to risk committee

Chief Risk Officer can only be sacked with agreement of board

It is clear that risk management will be under increasing scrutiny in the UK (and across the globe), and that risk expertise will be increasingly important in 2010.

We recently had an interesting discussion on what GRC professionals are hoping to achieve in 2010. We had so much fun we decided to publish a 2010 wish list for risk and compliance managers. The list is based on conversations we had with our customers, prospects and industry experts over the past several months.

Why are there 10? Well, as George Carlin mused in his skit about Moses and The Ten Commandments, “because 10 sounds official. Ten sounds important! Ten is the basis for the decimal system, it’s a decade, it’s a psychologically satisfying number (the top ten, the ten most wanted, the ten best dressed). So having ten commandments was really a marketing decision!”

All kidding aside, we’d love to get your reaction to our list and see if we left anything out. We’ll drill down into more detail for each one over the next ten days! Here’s the list:

Leading research and analysis provider Chartis Research recently released the 2009 RiskTech100™ report – a comprehensive study of the top technology firms active in the risk management market.

Based on assessment criteria including functionality, core technology, organizational strength, customer satisfaction, market presence and innovation, Chartis named OpenPages the Category Winner in Operational Risk and GRC solutions. This is a real testament to OpenPages commitment and success in delivering integrated risk management solutions as Chartis surveyed hundreds of operational risk vendors.

The study included a survey which found that “66% of respondents expect to increase their risk technology expenditure by 10% or more in 2010” and that users are moving from a siloed approach toward an integrated risk management approach.

It’s become clear that a risk-aware corporate culture is of critical importance to an organization. In the past year alone, we’ve seen plenty of examples in the news where a lack of risk-aware corporate culture has hurt companies, some beyond repair. Coming in at #3 on the 2010 GRC Wish List is a “Robust Organizational Risk Culture”.

While it is critical to be thoughtful, disciplined, and strategic in your approach, it’s also important to understand how technology can promote a risk-aware culture and become a tool to embed effective integrated compliance and risk management practices within an organization. It can act as a training and awareness tool, a marketing tool, and can help build accountability and push policies and processes into daily activities.

Does your organizational culture reinforce your strategy and risk appetite or undermine it? Pricewaterhouse Coopers has developed a “Risk Culture Self Assessment” that will help you understand where your organization stands in terms of how it manages risk. They also published a five-step guide titled, “Building a risk-aware culture for success.”

The subprime mortgage crisis has sparked a lot of discussion about risk management and, specifically, whether banks that suffered huge losses did so as a result of failures in the risk management function or in business management in general. The general business management failures occurred in situations where the risk management identified unacceptable risks but the business managers in charge of risk mitigation opted not to mitigate the risk(s).

This failure of exercising good business judgement in spite of warnings from the risk management function is exactly what the CEO at Freddie Mac, Richard F. Syron, is being criticized for in an article in today’s New York Times. Reporters Charles Duhigg and Eric Dash interviewed former executives and others associated with Freddie Mac, and their article paints a picture of an executive team, led by Syron, taking unacceptable risks despite the warnings from his Chief Risk Officer and others.

If senior management, in conjunction with the board, cannot be trusted to make the correct decisions about risk management, then there needs to be better transparency about the risks being assumed by the company, and shareholders can make their own decisions about whether to hold the stock or not. In this case, according to the article, “shoddier” underwriting standards exposed the company to too much risk, and Syron was warned of this situation. But did shareholders have a view into these changing underwriting standards?

Whether or not Freddie Mac could have avoided their recent meltdown given their market share and decline of the housing market is an open question. What is clear is that the risk/reward tradeoff was not managed well and that while shareholders had full visibility to the company’s earnings (the reward side of the equation), there is little doubt that the company did not provide similar transparency to the risk side of the equation. My guess is that increased regulation or shareholder demands will start to encourage better reporting of risks in the business, and not the kind of reporting you currently find in most 10-Ks.

We had the opportunity to host a panel on operational risk at GARP this week in New York. The panel, “Using Operational Risk Management to Gain Competitive Edge”, included moderator Christopher Donohue, Managing Director, Research and Educational Programs, (GARP), and panelists Marcelo Cruz, Global Head of Operational Risk Management and Metrics, Morgan Stanley, Patrick McDermott, Senior Director, Enterprise Operational Risk, Freddie Mac, and Mairtin Brady, Head of Operational Risk Management, TIAA-CREF, as well as me, Gordon Burnes.

At the beginning of the the panel, McDermott outlined the basic set of questions that operational risk managers have to answer:

- What can go wrong? - How bad can it get? - How likely is it to happen? - What are we going to do about it?

This is a great way to frame the essence of an operational risk manager’s job, and those new to the discipline will do well to make sure that their program covers off on these fundamental questions.

This was an interesting panel in that each panelist represented a different perspective on managing operational risk programs. The starkest contrasts were between Cruz, representing the quants, and McDermott, representing the value and importance of qualitative information. Cruz took particular issue with scenario analysis but did acknowledge the limitations of models as expressed in confidence levels. It’s clear that there’s a wide range of practice in the industry on this topic, with some banks relying heavily on scenarios to model their capital, others relying more on internal data.

All panelist agreed that the operational risk function is on its ascendancy and is increasingly being brought to the table to weigh in on strategic matters, such as acquisitions or new product launches. One of the key takeaways was that operational risk information can help businesses better define their risk profile, allowing business managers to make better decisions about where to invest, and where to focus mitigation efforts.

Recently I’ve been communicating with a former COSO board member about a couple of terms in COSO ERM – specifically about “risk appetite” versus “risk tolerance.”

It’s interesting, as this board member was intimately involved in reviewing drafts of the ERM report as it was being developed and signed off on the final, and continues to be actively involved in discussions on the subject of risk management.

It becomes clear to me that anyone can easily fall into a trap, as follows. When a report, article, or other written document arrives in our hardcopy or electronic inbox, we take care in reading it, digesting it, and being sure we understand it. But over time, as we use the underlying terms and concepts, we begin to factor in our own thinking and judgments, and unintentionally modify their use.

In the case at hand, confusion arose about use of the term “risk appetite,” where it was being used at a lower level than appropriate – a level reserved for “risk tolerance.” To refresh memories, COSO ERM says “Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style.” On the other hand, “Risk tolerances relate to the entity’s objectives. Risk tolerance is the acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.” It goes on to say “Management considers interrelated risks from an entity-level portfolio perspective. Risks for individual units of the entity may be within the units’ risk tolerances, but taken together may exceed the risk appetite of the entity as a whole.”

There’s more in the report making clear what each term means, but I don’t want to bore you. And the point here isn’t about these specific terms, but rather our being able to communicate effectively with business colleagues and partners. Okay, maybe I am a stickler for words, though I like to think there’s good reason we all should do our best to use terms precisely.

Today we announced that Julian Parkin, Group Privacy Programme Director at Barclays will deliver the day two keynote address at OPUS 2010. In his address titled, “Supporting Risk Management Initiatives Across the Enterprise with OpenPages,” Julian will discuss how Barclays has leveraged OpenPages for its risk and compliance management initiatives across the globe including data privacy, operational risk and financial controls management.

“As a global financial services organization, Barclays has wide ranging requirements for managing risk and compliance activities across the enterprise and across the globe,” said Julian. “The OpenPages platform provides the integration layer for enterprise risk management, assessment, monitoring and reporting which delivers risk intelligence to business end-users and management. I look forward to discussing successful risk management approaches and how the OpenPages Platform can be leveraged to drive sustainable improvements.”

If you’re an OpenPages customer and would like to learn more from Julian and the extensive cast of industry experts and practitioners at OPUS 2010, register now by clicking here.

Many of our customers are in the process of rethinking their risk management programs. A key element of any program is the risk control self assessment, and, in fact, in many cases, provides the foundation for the overall program. The RCSA provides a baseline for risk exposure that drives further activity in key areas of risk for the business. Of course, as human judgement is involved, no company would rely solely on this single process for their exposure metrics. Many back test the RCSA process with actual loss events and validate management’s self-assessment of risk through an internal audit function.

The recent edition of Operational Risk and Regulation highlight the importance of the RCSA process at a large Japanese financial services company, Mizuho Financial Group, one of only two AMA-approved banks in Japan. The article notes that Mizuho Financial Group’s AMA model is largely driven by over 660 different scenarios, which, in turn, are based on the risk control self-assessment. One of Mizuho Financial Group’s subsidiaries, Mizuho Securities, is an OpenPages customer.

660 scenarios represents a lot of data to keep track of in spreadsheets, especially if you’re tying the scenarios to the RCSA process and ultimately want to back test the results with actual loss data. Only an integrated, automated approach make sense, and we’re seeing more financial services institutions abandon their first gen operational risk systems (and Excel!) as regulatory oversight heats up.

I work in the computer software business and experienced firsthand the dot-com bust of 2000. As VP of Corporate Strategy for a public software company, I was involved in M&A activities, strategic partnerships and large OEM deals with dot-com companies. I rode the wave of going from $15/share to $95 and back down to $5. I understand the difference between client/server, n-tier, and cloud computing, and the subtleties between ISV, OEM and VAR relationships (in this context VAR means “value added reseller” not “value at risk”). I know why the dot-com era was a façade and why the bubble eventually had to burst.

As I read accounts of what was happening during the subprime crisis, I struggled to understand key concepts such as CDS (credit default swap), CDO (collateralized debt obligation) and SPV (Special Purpose Vehicle). I blamed my inability to grasp what was really happening on my lack of experience with complex financial products: I wasn’t “in the business.”

After reading Tett’s book, I now realize that I wasn’t the only one who couldn’t figure out what was going on. “As the pace of innovations heated up,” Tett writes, “credit products were spinning off into a cyber-world that eventually even the financiers struggled to understand. The link between the final product and its underlying assets was becoming so complex that it appeared increasingly tenuous. . . . Most financiers lacked the cognitive skills to truly understand the connections in this new world.” Oh yes, and “even regulators seemed only vaguely aware of what the banks were really doing.”

I highly recommend reading Tett’s book. She is able to decipher Wall Street mumbo-jumbo in terms that a lay reader, or at least a determined lay reader, can understand. Tett provides a rich cast of characters and a storytelling device that helps make this book compelling fun to read. More importantly for risk managers, however, you will also gain a new appreciation for the significance of sound risk management for your organizations. There are lots of reasons why the crisis developed, for example greed, carelessness, and deceptive practices. But across the financial services industry, systemic weaknesses in risk management culture, discipline, and implementation of best practices added fuel to the flame.

In a subsequent blog I will summarize some of the key risk management lessons that Fool’s Gold uncovers.

Fueled by a global audience that is desperately looking for disclosure in the wake of the economic crisis and mature digital computing technologies that make it more and more difficult to contain sensitive information, WikiLeaks has emerged as a viable new threat to data security.

Until now the United States government has been the central target of WikiLeaks attacks, however, with WikiLeaks founder Julian Assange’s recent claim to be ready to release corporate secrets in early 2011, organizations everywhere are faced with a looming risk management challenge that is not likely to dissipate anytime soon.

Experts agree, and Assange himself has suggested, that the information that will be leaked is more likely to consist of internal communications between executives and other employees rather than the personal data protected by privacy compliance laws. However, the threat of any kind of exposure means that corporations need to tighten data security and evaluate areas of potential vulnerability.

Unfortunately, WikiLeaks has highlighted a liability that persists across all corporations and government agencies that technology and compliance measures alone simply cannot contain: the human factor. The increasing number of compliance and regulatory mandates that have been put in place in recent years have not proven enough to combat the risk posed by employees leaking sensitive information.

A recent poll by Harris Interactive reports that only 9% of companies have adequate crisis protocols in place to protect themselves from a potential onslaught. In this period of uncertainty, with virtually all large enterprises under the WikiLeaks radar, it is vital that organizations devise an adaptable enterprise risk management strategy to identify and manage areas of weakness without sacrificing business performance.

Just as a sharp increase in regulatory compliance mandates has created a necessary shift in industry risk management tactics, so has WikiLeaks spawned the recognition of new vulnerabilities that face companies in the modern digital age. The organizations that are well prepared to assess and mitigate against untested threats, like the one posed by WikiLeaks, are those that combine deep domain expertise with powerful and flexible tools to analyze and weigh the probability and cost associated with any given challenge.

The Globe published an interesting article today about a Harvard Business School professor that resigned just before the scandal at Satyam broke. This was no ordinary professor. Krishna Palepu is an expert in corporate governance, control and accounting, and corporate management in emerging markets. In short, the perfect resume for a Satyam board member. So what went wrong?

This is not an isolated incident. In this financial crisis, many good people on boards of struggling companies have been surprised. And we’ll likely see more of that in the months to come. I think it’s overly simplistic to blame the board, and certainly in this case in which Palepu is so obviously qualified. What we see frequently is that internal control systems and risk assessment processes are not mature enough to catch wrong doing or, and this may be more important, change behavior. Companies that are growing quickly, like Satyam, have the most difficulty putting in place the risk management process to catch the kind of fraud perpetrated at the company. My guess is that in the future business process will be designed from the bottom up with risk management in mind. As we’re learning, it’s too hard to do it after the fact, especially for the complicated businesses we’re trying to govern today.

You’re a CEO, senior manager, or board member watching your once-great company brought to its knees. You imagine yourself on the deck of the Titanic, your world coming to an end—your once confident self embarrassed in front of colleagues, competitors, friends, family, and the larger communities in which you once thrived and were held in such high esteem.

This is the first sentence a just-released book published by John Wiley & Sons. I got my hands on an advance copy, and it is compelling reading. It analyzes how – while facing different circumstances in different industries – common themes underlie why once-great companies have seen their fortunes sink, while others withstand economic turbulence and hazards to continue to grow and reap the rewards of success. But the book is not solely about how to avoid disaster. It highlights how having the right infrastructure enables an organization’s positive qualities to lead to success. This includes what’s needed to avoid the kinds of disasters that can befall any organization, but also essential to identifying opportunities and being positioned to seize them for competitive advantage.

I don’t often recommend books to others, but this one is exceptional. It has a long title: Governance, Risk Management and Compliance – It Can’t Happen to Us: Avoiding Corporate Disaster While Driving Success. I believe the substance stands up to its claim that “unlike other books, this one is not aimed solely at senior managers or solely at members of boards of directors. It’s directed to both, with an added objective of providing insight into the interface between the two.”

You might be asking why Steinberg is spending so much space here touting this book – it is because the book is really that valuable, or does he have some ulterior motive? Well, okay, I’ll fess up – the answer is “both.” Yes, as you may have guessed, I wrote the book. And I apologize for withholding that important fact until now! But I do believe virtually any reader of this blog will greatly benefit from reading the book. And I’m pleased that I’m not the only one who thinks so. Here’s what some others, whose names you might recognize, are saying:

Rick Steinberg is a time-tested expert in this ever more essential field. His refreshing candor in assessing recent shortfalls makes this book a must-read for corporate leaders — Mark R. Fetting, Chairman and CEO, Legg Mason, Inc.

This outstanding book provides a critically important perspective on how risk management can only be truly achieved by aligning culture, strategy, compliance programs, and compensation. It should be must reading for any board member concerned with improving the management of risk — Jay Lorsch, Louis E. Kirstein Professor of Human Relations, Harvard Business School

A comprehensive and insightful examination of corporate governance. A must-read for those of us who are CEOs and serve on public boards — Randall L. Clark, Chairman and CEO, Dunn Tire LLC; former Chairman and CEO, Dunlop Tire North America

Attention directors and officers: Ignore this book at your own peril. Richard Steinberg has crafted a careful, thoughtful approach to managing risks, and it should be required reading for Corporate America — Scott S. Cohen, founder and former Editor and Publisher, Compliance Week

Richard Steinberg’s comprehensive and clearly written work will substantially benefit both new and experienced directors. It will help corporate boards recognize the challenging forces businesses face, as well as the techniques and standards available to intelligently monitor and supervise firms and their senior management. An easy and engaging read, this book should be on the bookshelf of every corporate director — William T. Allen, Director, NYU Pollack Center of Law & Business; former Chancellor, Court of Chancery of the State of Delaware

Richard Steinberg, a respected and time-proven governance hand, has written a most enjoyable and thought-provoking work—an excellent addition to anyone’s governance shelf! — Charles Elson, Edgar S. Woolard, Jr., Chair in Corporate Governance and Director of the Weinberg Center for Corporate Governance, University of Delaware

By the way, the IBM Open Pages people were kind to allow me to use a paper I wrote for them as the basis of one of the chapters. I hope you will consider reading the book, and I trust you will not be disappointed!

Just attended a great session presented by Matthew Neels, Chief Compliance and Risk Officer at Capital One. Mr. Neels focused on building board interaction and driving board attention to the right areas of risk through an integrated risk management framework. He began with an interesting question, “Should you be using an implicit or explicit framework and how is your board making a decision on that framework?” The correct answer of course is: both are required to effectively manage risk.

He explained how explicit frameworks enable structured board discussions through a consistent and common approach, whereas implicit frameworks rely on “corporate culture and deep experience.”

In his session, Mr. Neels also detailed how multiple stakeholders use frameworks for ‘decision making, reporting and escalation’ and in particular, how the Board uses frameworks to:

Provide an objective yardstick or measure

Create a basis for understanding

Identify situations and areas that need attention

Highlight areas doing well

Help differentiate between expected and unexpected

The discussion then moved to how “driving board attention to the right areas can be difficult” as board reporting is often a “laundry list of potential risks, current issues and decision requests.” He stated, “Without a framework you have everything coming in at once without context.” He then offered several suggestions for preventing information overload:

Specific and quantifiable tolerance measurement is critical to driving board attention to the right areas

Set your risk appetite

Create a risk framework

Determine standard metrics and KRIs

Establish risk tolerances

Establish risk limit

The goal according to Matthew is to establish a “common scale that enables cross-category comparisons and risk aggregation.”

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.